Hi Forum,
I have a service account I have built for a third party workspace management service that requires read and write privilege to every room and desk resource I have in my domain. As root admin, I know I can go calendar by calendar and manually add this service account to each respective calendar resource, how would I do this in bulk for 200+ resources and hopefully in perpetuity?
Cheers,
Ham
Solved! Go to Solution.
You can do this with the free, open source, command-line, indispensable GAM tool. Check out:
for more details.
Hope that helps,
Ian
@ham_the_admin Please find the below solution from a gam expert:
Advanced GAM solution:
# Get a list of resources, use a filter if desired: https://developers.google.com/admin-sdk/directory/reference/rest/v1/resources.calendars/list
gam redirect csv ./Resources.csv print resources
# Inspect Resources.csv, delete any rows that shouldn't be included
# Replace us...@domain.com with actual value
gam redirect stdout ./AddResourceACLs.txt multiprocess redirect stderr stdout csv ./Resources.csv gam resource "~resourceId" create calendaracls editor user:us...@domain.com
# Inspect AddResourceACLs.txt
@ham_the_admin have you tried the domain-wide delegation option already?
Unsure how to implement within Google Cals itself and don't see a ton of documentation. Was hoping for a more simplistic ability to do it through the admin UI.
Essentially trying to avoid having to do this x200+ resources:
HI @ham_the_admin I understand the same- The domain-wide delegation is designed for this purpose :
"App developers and administrators can create service accounts with OAuth 2.0. Then, you authorize the service accounts to access your users' data without requiring each user to give consent. Typical apps granted domain-wide delegation"
It's available in
@ham_the_admin I suppose when you say service account, you mean a workspace user account, that you have delegated admin privileges to. sadly there is a bug it seems at the moment, as the delegated admin privileges do not allow to manage calendar permissions. this has been reported and ticketed up to Google support for a while now.
You can use a script, and give the script the capability to do this in bulk, but you will need to use Domain wide privileges (as mentioned by @ajojose33333344 ) and create a GCP Project to manage the authentificaiton. this requires some knowledge on oauth2 procedures in appscript.
If you execture the script as super admin, this is not necessary.
@AlanM will these scopes won't help?
Scopes
https://www.googleapis.com/auth/calendar | See, edit, share, and permanently delete all the calendars you can access using Google Calendar |
https://www.googleapis.com/auth/calendar.events | View and edit events on all your calendars |
https://www.googleapis.com/auth/calendar.events.readonly | View events on all your calendars |
https://www.googleapis.com/auth/calendar.readonly | See and download any calendar you can access using your Google Calendar |
https://www.googleapis.com/auth/calendar.settings.readonly | View your Calendar settings |
This is spot on. "Service Account" meaning a user (sa_google@domain.xxx) that has domain wide visibility and read/write edit rights to cals as an intermediary for 3rd party apps ie Zoom Room/Workspace, Space IQ, Robin or Teems etc.
Example:
https://support.zoom.us/hc/en-us/articles/206905656-Setting-up-Zoom-Rooms-with-Google-Calendar
the "How to share a Zoom Room calendar resource" portion of the equation is what I am doing but hating life as we I have 200+ resources and likely more to come.
As root/super will try the appscript route, new to GCP. Thank you!
Is it only resources you need to manage? If so, resources can be managed centrally from the admin console. I would explore the Admin SDK and APIs to see if resources can be controlled through that.
It is resources I'm hoping to manage, and was hoping for a way to do it in Admin Console, however not seeing any easy way to manage bulk user, Group or OU privilege in Admin Console. Can update all things about resource and hierarchy within workspace for resources with the exception of user privilege (to my understanding at this point).
You can do this with the free, open source, command-line, indispensable GAM tool. Check out:
for more details.
Hope that helps,
Ian
@ham_the_admin Please find the below solution from a gam expert:
Advanced GAM solution:
# Get a list of resources, use a filter if desired: https://developers.google.com/admin-sdk/directory/reference/rest/v1/resources.calendars/list
gam redirect csv ./Resources.csv print resources
# Inspect Resources.csv, delete any rows that shouldn't be included
# Replace us...@domain.com with actual value
gam redirect stdout ./AddResourceACLs.txt multiprocess redirect stderr stdout csv ./Resources.csv gam resource "~resourceId" create calendaracls editor user:us...@domain.com
# Inspect AddResourceACLs.txt